[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OpenLDAP with SASL: No principal in keytab matches desired name
Hi, All!
We are using OpenLDAP + Kerberos to perform user validation here, and
now I need to enable OpenLDAP's SASL authentication (to use with Cyrus
IMAP and QMail). I'm testing it with OpenLDAP (2.2.13 - Fedora Core 3),
but, when I try to perform a search - like:
# ldapsearch -h my.host.name -Y GSSAPI
(after doing a kinit), I get the message:
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Internal (implementation specific) error (80)
additional info: SASL(-1): generic failure: GSSAPI Error:
Miscellaneous failure (No principal in keytab matches desired name)
Question is: what principal is missing?? I tryed running slapd with
various debug flags, but is says only:
conn=0 fd=10 ACCEPT from IP=143.106.77.85:33134 (IP=0.0.0.0:389)
conn=0 op=0 BIND dn="" method=163
SASL [conn=0] Failure: GSSAPI Error: Miscellaneous failure (No principal
in keytab matches desired name)
conn=0 op=0 RESULT tag=97 err=80 text=SASL(-1): generic failure: GSSAPI
Error: Miscellaneous failure (No principal in keytab matches desired name)
conn=0 fd=10 closed
My /usr/lib/sasl2/slapd.conf has only one line:
auxprop_plugin: slapd
and I _do_ have a ldap/my.host.name at my keytab:
# ktutil
ktutil: rkt /etc/openldap/slapd.keytab
ktutil: l
slot KVNO Principal
---- ----
---------------------------------------------------------------------
1 4 ldap/my.host.name@ROOT.IME.UNICAMP.BR
2 4 ldap/my.host.name@ROOT.IME.UNICAMP.BR
3 4 ldap/my.host.name@ROOT.IME.UNICAMP.BR
4 4 ldap/my.host.name@ROOT.IME.UNICAMP.BR
ktutil:
(the "srvtab" parameter at my slapd.conf points to the file above)
This host is DNS-resolving itself fine in both direct and reverse ways,
and I'm running slapd as root (for tests). Using ldapsearch with
simple auth works file (with and without TLS). I have saslauthd
running (and it is working with testsaslauthd, and with
sasl-sample-server/client, using GSSAPI mech.)
The slapd.conf I'm using looks like this:
----------------------------------------------------------------
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/nis.schema
allow bind_v2
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
TLSCACertificateFile /usr/share/ssl/certs/cacert.pem
TLSCertificateFile /usr/share/ssl/certs/myhost.pem
TLSCertificateKeyFile /usr/share/ssl/certs/myhost.key
sasl-host damasco.ime.unicamp.br
srvtab /etc/openldap/slapd.keytab
sasl-regexp UID=([^,]*),CN=.* UID=$1,OU=People,DC=teste,DC=com
# FOR TEST ONLY!
access to * by * write
database bdb
suffix "dc=teste,dc=com"
rootdn "cn=boss,dc=teste,dc=com"
rootpw teste
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
----------------------------------------------------------------
Btw, after running ldapsearch, klist shows me a service principal, in
addition to my own one:
# klist
Credentials cache: /tmp/krb5cc_0
Default principal: me@ROOT.IME.UNICAMP.BR, 2 entries found.
[1] Service Principal: krbtgt/ROOT.IME.UNICAMP.BR@ROOT.IME.UNICAMP.BR
Valid starting: Dec 22, 2004 12:39
Expires: Dec 23, 2004 12:39
[2] Service Principal: ldap/my.host.name@ROOT.IME.UNICAMP.BR
Valid starting: Dec 22, 2004 12:39
Expires: Dec 23, 2004 12:39
This thing is really getting me crazy...
Some hint??
Thanks in advice!!